Hvem vil checke min Hijackthis-log??

Jeg kan se, at du har en led winik-infektion. Et øjeblik :-)

-- Download WinkRootkitremover og gem det på dit skrivebord:
http://secured2k.home.comcast.net/tools/WinKRootKitRemover.exe
Kør programmet, klik på "run" og herefter på "start". Gem den log som laves på dit skrivebord.

-- Hent Silentrunners, og gem det på dit skrivebord:
http://www.silentrunners.org/Silent%20Runners.vbs

Kør programmet, klik på Ja. Klik på OK. Vent så indtil der kommer en besked om at logfilen er færdig. Find log-filen, og læg den herind (den lægger sig i samme mappe som silentrunner programmet ligger i). Dette vil lave en logfil på dit skrivebord, som hedder "Startup Programs ..."

Kopier indholdet mellem de stiplede linier ind i et notepad-vindue, og gem det på dit skrivebord som options.txt. Når du gemmer det skal du sikre dig, at der står "Alle filer" ud for "Filtyper"

----------------
RegSearch Options File

[Search]
winik

[Exclude]

[Options]
Filter=KVDLU
----------------

-- Hent Registry Search, som er lavet af Bobbi Flekman, og pak det ud på dit skrivebord:
http://www.bleepingcomputer.com/files/regsearch.php

Klik på regsearch.exe for at starte programmet. Klik på "Import" og "Select" filen "Options.txt" som du lavede tidligere. Klik på OK, hvorefter programmet vil søge i registreringsdatabasen. Resultatet heraf skal du lægge ind i dit næste svar.

-- I dit næste svar vil jeg gerne se loggen fra WinKRootKitRemover, Silent Runners, Registry Search Loggen. Derudover må du også gerne lave en ny log med Hijackthis, som du lægger herind.

Ejvindh, mht. Silentrunners:
Er det ALT indholdet mellem de stiplede linier????

Der er flere af dem-->
"startup items buried in registry"
"Active desktop and wallpaper"
"Startup items in "Uffe" & "All Users" startup folders"
"Winsock2 Service Provider DLLs"
"Toolbars, Explorer Bars, Extensions"
"Running Services (Display Name, Service Name, Path {Service DLL})"

uffesteenberg: Jeg kan godt se at det er lidt uklart formuleret, men det er ikke indholdet af silentrunners-loggen der skal kopieres ind i et notepad-vindue, men indholdet mellem de stiplede linier lidt længere nede i indlægget (startende med "RegSearch Options File")

OK, her kommer de forskellige logs:

WinKRootKit:
-----------
02/17/2006, 14:57:48 - Starting Process
02/17/2006, 14:57:48 - Could not detect the service installed. Nothing else to do!

Startup Programs-log fra Silentrunners:
----------------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MsnMsgr" = ""C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"adobemgr" = "C:\WINDOWS\system32\adobemgr.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SiSUSBRG" = "C:\WINDOWS\SiSUSBrg.exe" ["Silicon Integrated Systems Corp."]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"MaxtorOneTouch" = "C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe" ["Maxtor"]
"MXO Auto Loader" = "C:\WINDOWS\MXOALDR.EXE" ["Cypress Semiconductor"]
"TkBellExe" = ""C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"HotKey" = "C:\WINDOWS\Twain_32\SlimU2\HotKey.exe" ["Pmx. Electronics Ltd."]
"ZEFHR5ox" = "C:\PROGRA~1\pvpxuuvt\bUQAEgxN.exe" [file not found]
"QuickTime Task" = ""C:\Programmer\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"gcasServ" = ""C:\Programmer\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{A114D52B-870C-4F15-8021-B6D7F91A054B}\(Default) = "iFinger plugin / Browser helper object" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\iFinger\plugins\IE.ifp" ["iFinger Ltd"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\programmer\google\googletoolbar1.dll" ["Google Inc."]
{E7358476-7F91-4907-A3AE-7EA486A0ED31}\(Default) = (no title provided)
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\usrswpia.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Kontrolpanel-udvidelse til skærmpanorering"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-ikon"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\WinRAR\rarext.dll" [null data]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Microsoft Office\Office10\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Landskab.bmp"


Startup items in "Uffe" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start
"Adobe Reader Hurtigstart" -> shortcut to: "C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"iFinger 2.0" -> shortcut to: "C:\Programmer\iFinger\iFinger.exe /NOSPLASH" ["iFinger Ltd"]
"Microsoft Office" -> shortcut to: "C:\Programmer\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\programmer\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\programmer\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "c:\programmer\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{0CBD5120-990B-11D3-8ABD-00C04FA95EE0}\ = "iFinger" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHDOCVW.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{936E5D60-596C-11D3-BB96-00600816DF55}\
"ButtonText" = "iFinger"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programmer\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Machine Debug Manager, MDM, ""C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Sygate Personal Firewall, SmcService, "C:\Programmer\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
  use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 44 seconds, including 4 seconds for message boxes)



RegSearch-log:
---------------
REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.0.1

; Results at 17-02-2006 15:05:03 for strings:
;  'winik'
; Strings excluded from search:
;  (None)
; Search in:
;  Registry Keys  Registry Values  Registry Data
;  HKEY_LOCAL_MACHINE  HKEY_USERS


[HKEY_USERS\S-1-5-21-1390067357-920026266-854245398-1004\Software\Google\NavClient\1.1\History]
"winik"=hex:86,bf,f5,43

[HKEY_USERS\S-1-5-21-1390067357-920026266-854245398-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Documents and Settings\\Uffe\\Skrivebord\\WinKRootKitRemover.exe"="This program will look for WinKRootKit (winik.sys) and attempt to remove it."

; End Of The Log...


Ny Hijackthis-log:
------------------
Logfile of HijackThis v1.99.1
Scan saved at 15:10:44, on 17-02-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
C:\Programmer\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Uffe\Skrivebord\REBOOT PROBLEM\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\Programmer\iFinger\plugins\IE.ifp
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O2 - BHO: (no name) - {E7358476-7F91-4907-A3AE-7EA486A0ED31} - C:\WINDOWS\system32\usrswpia.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
O4 - HKLM\..\Run: [ZEFHR5ox] C:\PROGRA~1\pvpxuuvt\bUQAEgxN.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [adobemgr] C:\WINDOWS\system32\adobemgr.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iFinger 2.0.lnk = C:\Programmer\iFinger\iFinger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Programmer\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programmer\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programmer\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programmer\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {ABCCB0F0-514E-4BA6-989D-C67E5DBC2946} - https://download.danskebank.dk/download/keydownload/DB/KeyDownload.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmer\Sygate\SPF\smc.exe

Det ser godt ud. Det ser faktisk ud til at infektionen var blevet taget allerede da du kørte Dr.Web og Ewido. Men det må vi lige checke, og det kan vi gøre ved at se hvor nemt de sidste rester lader sig fjerne. Prøv derfor følgende:

Kør Hijackthis, vælg "Do a system scan only", sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.

O2 - BHO: (no name) - {E7358476-7F91-4907-A3AE-7EA486A0ED31} - C:\WINDOWS\system32\usrswpia.dll (file missing)
O4 - HKLM\..\Run: [ZEFHR5ox] C:\PROGRA~1\pvpxuuvt\bUQAEgxN.exe
O4 - HKCU\..\Run: [adobemgr] C:\WINDOWS\system32\adobemgr.exe

Genstart computeren, og lav en ny HJT-log, som du lægger herind til check.

Så er det ordnet... her er den nye Hijack-log:

Logfile of HijackThis v1.99.1
Scan saved at 21:08:15, on 17-02-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
C:\Programmer\Microsoft AntiSpyware\gcasServ.exe
C:\Programmer\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\eMule\emule.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Uffe\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\Programmer\iFinger\plugins\IE.ifp
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iFinger 2.0.lnk = C:\Programmer\iFinger\iFinger.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Programmer\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programmer\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programmer\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Programmer\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programmer\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {ABCCB0F0-514E-4BA6-989D-C67E5DBC2946} - https://download.danskebank.dk/download/keydownload/DB/KeyDownload.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmer\Sygate\SPF\smc.exe

PC'en genstarter dog stadigvæk nogle gange inden jeg kan starte op..

Jeg får også en fejlmelding fra Windows:
"Systemet er genoprettet efter en alvorlig fejl"

På min egen og på min kærestes brugerkonto er fejlsignaturen:
BCCode:1000008e BCP1:C000001D BCP2:F92BFEED
BCP3:F9C2FC2C BCP4:00000000
OSVer:5_1_2600 SP:2_0 Product:768_1

Når jeg logger på min brugerkonto ser fejlrapporten således ud:
"Fejlrapporten indeholder følgende filer":
C:\DOCUME~1\Uffe\LOKALE~1\TEMP\WERd50a.dir00\Mini021706-13.dmp
C:\DOCUME~1\Uffe\LOKALE~1\TEMP\WERd50a.dir00\sysdate.xml

Når jeg logger på min kærestes brugerkonto ser fejlrapporten således ud:
"Fejlrapporten indeholder følgende filer":
C:\DOCUME~1\LAILA\LOKALE~1\TEMP\WER9dca.dir00\Mini021706-15.dmp
C:\DOCUME~1\LAILA\LOKALE~1\TEMP\WER9dca.dir00\sysdata.xml

Når fejlrapporten er sendt, bliver jeg præsenteret for denne side:
http://oca.microsoft.com/en/response.aspx?SGD=a7ae047d-4eb6-4a79-bfca-27470a03701f&SID=11

Er det noget, der kan spille ind???

Loggen er ren. For at gøre arbejdet helt færdig:
Det kan være en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Og så kan det også være en god ide at skjule dine systemfiler og -mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil. Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

Det kan også være en god ide at få renset ud i dine midlertidige filer. Det kan gøres på en hurtig og nem måde med denne fil
www.spywareinfo.dk/download/cleantempxp2k.bat
---------------------------

For at forhindre gentagelser, vil jeg anbefale dig at lægge nogle små programmer ind, som forhindrer spyware i at komme ind i første omgang. Du finder links og gode råd her:
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Jeg vil også foreslå, at du læser denne artikel om hvordan du kan undgå at blive inficeret i fremtiden:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414

Angående det fortsatte problem, så havde jeg det nok på fornemmelsen, at virus-rensningen ikke ville løse problemet (som jeg også nævnte i den anden tråd). Det link du lagde tyder på, at du har et driver-problem. Prøv derfor at gå ind i din enhedshåndtering (klik på Start-Kontrolpanel-system-fanebladet Hardware-Enhedshåndtering, og se om der er nogle gule udråbstegn, som indikerer et problem på en driver. Findes der sådanne udråbstegn?

Jeg vil selvfølgelig lige følge dine sidste instruktioner, selv om jeg allerede har Microsoft Antispyware, Spybot og Ad-Aware... hellere gå med livrem og seler end at tabe bukserne!!!

Da fejlmeddelelsen skrev noget om "device drivers" slettede og geninstallerede jeg skærmkortdriver og fjernede en Microsoft Update-opdatering af C-media lyd-driver (de to eneste jeg har rodet med for nylig)... det har muligvis haft noget med en af de to at gøre, for idag genstarter pc'en ikke længere :-)

Under alle omstændigheder takker jeg maaange gange for dine velkvalificerede hjælp... rarat at få luget ud i det usynlige snavs!!! Og så lærte jeg også Exido og Hijackthis at kende...

Det var så lidt. Jeg takker for point :-)

...og god karma ;-)

Nå, det er fra dig. Ja, så takker jeg for den også. Det luner altid :-)